What you really don’t want in the midst of Sarbanes-Oxley compliance is any kind of sudden surprise. Getting caught off-guard in the middle of a compliance effort can slow things down considerably and create rifts within the company. The audit committee chair suddenly finding out about a material weakness in internal controls that should have been brought to their attention weeks ago could derail the Sarbanes-Oxley timeline. A CFO being apprised of a broken chain of command that could have been addressed from day one understandably won’t be happy.
Such scenarios can largely be avoided by baking in an effective communication plan at the outset of the SOX compliance program to keep management and stakeholders up to speed on progress and findings. Setting up communication pathways at regular intervals between peers, SOX project sponsors, senior management, the board members (the audit committee in particular) is essential. You can identify problems early and take action on them, thereby avoiding any nasty surprises. This streamlines your program and creates a better outcome.
Let’s Talk About This
Communication is an inherent part of Sarbanes-Oxley Act compliance. In particular, the section informally referred to as SOX 404, internal controls over financial reporting, lets investors and regulators know whether management and the auditors stand by the company’s internal controls and, in effect, the company’s accounting policies and practices. If the statement made is a positive one, it requires documentation to back it up with evidence to show that a thorough evaluation occurred. If there’s a weakness to report, that could call into question the adequacy of the financial information being shared.
But in between the start of a Sarbanes-Oxley program and the final signoff by the CEO and CFO are many opportunities for a communication breakdown, from the SOX project manager not having access to the audit committee to stakeholders outside the finance team not knowing they have any responsibility for SOX compliance. For a successful SOX program, be sure you have a well-crafted communication plan that covers these key areas:
Educate the SOX stakeholders.
Outside of finance, Sarbanes-Oxley is often a mystery when it hasn’t yet become a way of life at companies. For companies looking at their internal controls as they near an IPO and for newly public companies gearing up for SOX for the first time, they should meet early with stakeholders who need to understand their connections and deliverables for this compliance effort, including those outside of the finance function like HR and sales. Sarbanes-Oxley experts brought on board can help to keep these stakeholders aware of their responsibilities and what needs to happen next or what is missing in the process, at the right level, without overburdening everyone with more details than they need to know.
Make sure you have smooth communication pathways.
Those leading the SOX work—whether they are outside consultants or internal leaders—need to keep an open flow of communication from the beginning of the process to the end. If something looks amiss or a problem arises, it needs to be addressed swiftly. Identify the control owners and decide how often certain key players need to be updated about how testing is going. Schedule updates at frequent intervals and stay organized with the facts, so everyone knows what’s happening, from the testers and executives to the audit committee and external auditor.
Foster two-way communication.
Management also needs to be informative, providing up-to-date information necessary for testing, while those leading the SOX program need to be up-front, too, to bring to light information management needs to know, provide progress updates, and deal with any problems that pop up.
Flag issues early.
It’s better to have the tough conversations early on and address the issues than to deliver bad news when up against a deadline or when a problem has worsened. This is one of those times when the SOX manager needs to have access to senior management, to make noise when necessary and create solutions to fix a problem. By being solutions-focused, the SOX team will be known for providing answers rather than just surfacing complaints. Complaints don’t result in improvements. Those on the team who are more accustomed to SOX compliance shouldn’t be fearful of communicating any issues but instead should be naturally forthcoming, and alert those who need to be in the know.
Communication’s Role in Compliance
A breakdown in controls can mess with a company’s ability to provide trustworthy, reliable financial statements. Sarbanes-Oxley compliance helps public companies pinpoint such issues, and companies gearing up for an IPO wisely look for any gaps in their controls, too.
All too often, though, these compliance efforts can be slowed or put into jeopardy if communication flows are spotty or weak. That’s why it is best to have a solid communication plan built into the entire program. It should not be an afterthought, but a careful process designed from the start. This foundational layer involves early collaboration with stakeholders, the right set of reviews, regular updates and checkpoints, and careful consideration of information for the audit committee and the board. A lapse in any key communication pathway can bring about a nasty surprise, and set up the project for failure.
A team with deep experience with the ins and outs of Sarbanes-Oxley compliance can ensure this entire process goes seamlessly. Make the most of your Sarbanes-Oxley partners’ acumen so that the risks to the business are clearly understood. They bring a fresh perspective, with insights pulled from other companies in your industry, as well as specialized expertise. They know who needs to know what, when. It’s all part of a well-designed communication plan.
RoseRyan Director Christopher Ludwig heads our Corporate Governance practice, which includes our Sarbanes-Oxley Compliance and Internal Audit solutions designed for fast-moving companies. He previously was director of Sarbanes-Oxley compliance and internal audit at SOAProjects, and he has held compliance-focused and finance roles at KPMG, CafePress.com, The Federal Reserve Bank of San Francisco, and IBM.